Decorate scope in most grant flows

AzureAD · rayluo · Dec 12, 2018 · Sep 1, 2016 · Aug 30, 2016 · Aug 31, 2016
commit 0c1bb4af39af44fb8c9737ce8565e86b3bf39f04
diff --git a/msal/application.py b/msal/application.py
@@ -1,5 +1,6 @@
 from . import oauth2
 from .authority import Authority
+from .request import decorate_scope
 from .client_credential import ClientCredentialRequest
 
 
@@ -23,7 +24,8 @@ def acquire_token_silent(
         client = oauth2.Client(self.client_id, token_endpoint=a.token_endpoint)
         refresh_token = kwargs.get('refresh_token')  # For testing purpose
         response = client.get_token_by_refresh_token(
-            refresh_token, scope=scope,
+            refresh_token,
+            scope=decorate_scope(scope, self.client_id, policy),
             client_secret=getattr(self, 'client_credential'),  # TODO: JWT too
             query={'policy': policy} if policy else None)
         # TODO: refresh the refresh_token
@@ -80,7 +82,8 @@ def __init__(
     def acquire_token_for_client(self, scope, policy=''):
         return ClientCredentialRequest(
             client_id=self.client_id, client_credential=self.client_credential,
-            scope=scope, policy=policy, authority=self.authority).run()
+            scope=scope,  # This grant flow requires no scope decoration
+            policy=policy, authority=self.authority).run()
 
     def get_authorization_request_url(
             self,
@@ -111,7 +114,7 @@ def get_authorization_request_url(
             self.client_id, authorization_endpoint=a.authorization_endpoint)
         return grant.authorization_url(
             redirect_uri=redirect_uri, state=state, login_hint=login_hint,
-            scope=scope,  # TODO: handle additional_scope
+            scope=decorate_scope(scope, self.client_id, policy),
             policy=policy if policy else None,
             **(extra_query_params or {}))
 
@@ -143,15 +146,16 @@ def acquire_token_by_authorization_code(
             So the developer need to specify a scope so that we can restrict the
             token to be issued for the corresponding audience.
         """
-        #    If absent, STS will give you a token associated to ONE of the scope
-        #    sent in the authorization request, typically the very first one.
-        #    So only omit this when you are working with only one scope.
-        scope = scope or ["openid", "email", "profile", "offline_access"]  # TBD
-
+        # If scope is absent on the wire, STS will give you a token associated
+        # to the FIRST scope sent during the authorization request.
+        # So in theory, you can omit scope here when you were working with only
+        # one scope. But, MSAL decorates your scope anyway, so they are never
+        # really empty.
         grant = oauth2.AuthorizationCodeGrant(
             self.client_id, token_endpoint=self.authority.token_endpoint)
         return grant.get_token(
-            code, scope=scope, redirect_uri=redirect_uri,
+            code, redirect_uri=redirect_uri,
+            scope=decorate_scope(scope, self.client_id, policy),
             client_secret=self.client_credential,  # TODO: Support certificate
             query={'policy': policy} if policy else None)
 

diff --git a/msal/request.py b/msal/request.py
@@ -3,6 +3,36 @@
 from .exceptions import MsalServiceError
 
 
+def decorate_scope(
+        scope, client_id, policy,
+        reserved_scope=frozenset(['openid', 'profile', 'offline_access'])):
+    scope_set = set(scope)  # Input scope is typically a list. Copy it to a set.
+    if scope_set & reserved_scope:
+        # These scopes are reserved for the API to provide good experience.
+        # We could make the developer pass these and then if they do they will
+        # come back asking why they don't see refresh token or user information.
+        raise ValueError(
+            "API does not accept {} value as user-provided scopes".format(
+                reserved_scope))
+    if client_id in scope_set:
+        if len(scope_set) > 1:
+            # We make developers pass their client id, so that they can express
+            # the intent that they want the token for themselves (their own
+            # app).
+            # If we do not restrict them to passing only client id then they
+            # could write code where they expect an id token but end up getting
+            # access_token.
+            raise ValueError("Client Id can only be provided as a single scope")
+        decorated = set(reserved_scope)  # Make a writable copy
+    else:
+        decorated = scope_set | reserved_scope
+    if policy:
+        # special case b2c scenarios to not send email and profile as scopes
+        decorated.discard("email")
+        decorated.discard("profile")
+    return decorated
+
+
 class BaseRequest(object):
 
     def __init__(

diff --git a/tests/test_application.py b/tests/test_application.py
@@ -15,7 +15,7 @@ class TestConfidentialClientApplication(unittest.TestCase):
     def test_confidential_client_using_secret(self):
         app = ConfidentialClientApplication(
             self.config['CLIENT_ID'], self.config['CLIENT_SECRET'])
-        result = app.acquire_token_for_client(self.scope, "policy")
+        result = app.acquire_token_for_client(self.scope)
         self.assertIn('access_token', result)
 
     def test_confidential_client_using_certificate(self):
@@ -27,7 +27,7 @@ def test_confidential_client_using_certificate(self):
             }
         app = ConfidentialClientApplication(
             self.config['CLIENT_ID'], certificate)
-        result = app.acquire_token_for_client(self.scope, "policy")
+        result = app.acquire_token_for_client(self.scope)
         self.assertIn('access_token', result)
 
     def test_get_authorization_request_url(self):
@@ -41,10 +41,10 @@ def test_get_authorization_request_url(self):
     def test_acquire_token_by_authorization_code(self):
         app = ConfidentialClientApplication(
             self.config['CLIENT_ID'], self.config['CLIENT_SECRET'])
-        auth_code = "OAQ...snipped..."
+        auth_code = self.config['AUTHORIZATION_CODE']  # TODO: It expires soon
         token = app.acquire_token_by_authorization_code(auth_code, self.scope2)
         self.assertEqual(token.get('error_description', ""), "")  # Expired?
-        # print(token)
+        print(token)  # Show your refresh token
 
     def test_acquire_token_silent(self):
         app = ConfidentialClientApplication(